I monitor for failed authentications on DC’s.
labels: Authentication | Fail | Kerberos | User
My top failed authentications is on one client/one account that I can’t hunt down. I have looked at all process’es and their “credential’s” + installed sysmon on the client. But I can’t find the process or user. Any ideas how I could hunt this down?
Hi Henrik,
I am unsure i understand your question properly. What do you mean excatly when you say you can’t hunt down the account?
Best Regards,
Gustav
I mean that I can’t find which process on the target is doing the logons. There is nothing in the security or sysmon eventlog on the target, no scheduled tasks, processes, config files with that account. The failed logins accour once a minute.
Hi,
Alirght, that makes more sense.
Can you tell me which event id you get from the failed login events?
Best Regards,
Gustav
event_id=4771
Hi Henrik,
In the user_id field there should be a SID. Can try mappin the SID to the user?
also you can see the reason for failing from the status_code to the error message as seen in the tabel on this link: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
Best Regards,
Gustav
Hi!
SID is mapped to a valid user account in AD, 0x18 is the the status_code.
Hi Henrik,
Could it be a Service Account generating failed logins because of a password change?
https://backstage.forgerock.com/knowledge/kb/article/a62965844
| 0x18 | Pre-authentication information was invalid | Usually means bad password |
Best Regards
Gustav
Thank you for you answers!
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
